Defcon, the annual security conference in Las Vegas, has a grand tradition of hacking ATMs: unlocking them with safe-cracking techniques, tricking them to steal users’ personal data or PINs, creating and improving ATM malware, and, of course, hacking the machine to spit out all your cash. Many of these projects have targeted what are known as retail ATMs — stand-alone devices like the ones you’d find in a gas station or bar. But on Friday, independent researcher Matt Burch will present the results of his research on “financial” or “enterprise” ATMs, the types used by banks and other large institutions.
Burch documented six vulnerabilities in Vynamic Security Suite (VSS), a widely deployed security solution from ATM manufacturer Diebold Nixdorf. The company said all of the vulnerabilities have been patched, but an attacker could exploit them to circumvent hard drive encryption in unpatched ATMs and gain full control of the machines. Fixes for the bugs exist, but Burch warned that in practice the patches may never be widely deployed, leaving some ATMs and cashout systems at risk.
“The Vynamic Security Suite has a number of different features, including endpoint protection, USB filtering, and delegated access,” Burch tells WIRED, “but the particular attack surface I’m exploiting is the hard drive encryption module. There are six vulnerabilities in it. This is because I identify paths and files to exploit, report them to Diebold, who then fixes the issue, and then I find another way to achieve the same result. These are relatively simple attacks.”
All of the vulnerabilities Burch found were in VSS’s ability to enable disk encryption on the ATM hard drive. Burch said most ATM manufacturers use Microsoft’s BitLlocker Windows encryption for this purpose, but Diebold Nixdorf’s VSS uses a third-party integration to perform the integrity check. The system was set up in a dual-boot configuration with both a Linux partition and a Windows partition. Before the operating system boots, the Linux partition runs a signature integrity check to ensure the ATM hasn’t been compromised, and then it boots into Windows and operates as normal.
“The problem is that to do all of this, the system needs to be decrypted, which creates an opportunity for attack,” Burch said. “The fundamental flaw I’m exploiting is that the Linux partition is not encrypted.”
Burch discovered that he could manipulate the location of a critical system validation file to redirect code execution, essentially giving himself control of the ATM.
Diebold Nixdorf spokesman Michael Jacobsen told WIRED that Burch first disclosed his findings to the company in 2022, and that the company had been in contact with Burch about speaking at Defcon. The company said that all of the vulnerabilities Burch presented were addressed with patches in 2022. However, Burch said that it is his understanding that the company continued to address some of the findings with patches in 2023, as he brought new versions of the vulnerabilities to the company over the past few years. Burch added that he believes Diebold Nixdorf addressed the vulnerabilities at a more fundamental level in April in VSS version 4.4, which encrypts Linux partitions.
